We're considering having a security audit on our network. A new hire (I call him database guy) is BFF's with our CFO. DB guy used to be the Director of IT at a private school. (CFO hired him) but this is another story for another time.

The matter at hand is to prevent rogue devices from getting an IP from our DHCP server (on the LAN)

Database guy is suggesting we look at MAC address filtering on our LAN. I initially thought he was talking about the WiFi but no, the LAN.

The db guy says we should be able to prohibit a person from plugging in a device on the LAN (prevent it from getting an IP via DHCP)

Unused jacks are not connected to the switch. DB guy says asks what happens if this rogue person unplugs an existing computer, plugs their computer in, then gets a DHCP address, and starts to hack.

I'll check it out. But if the rogue user unplugs a computer and plugs in theirs, isn't that just one MAC?

The switch port registers the MAC address from the first device plugged in to it AKA your computer and doesn't forget it. The issues with MAC Address filtering these days is MAC Spoofing is very easy and if you move around your devices it becomes difficult to manage because the port on the switch remembers the previous device and blocks the new device even if it's legitimate.

9 Replies

MAC filtering is certainly possible on the LAN. For example you can set the switch to only allow one registered MAC address(per port), that way if someone gets near an active port and tries to plug in the switch will block traffic or shutdown the port.

MAC filtering is certainly possible on the LAN. For example you can set the switch to only allow one registered MAC address(per port), that way if someone gets near an active port and tries to plug in the switch will block traffic or shutdown the port.

﻿

I'll check it out. But if the rogue user unplugs a computer and plugs in theirs, isn't that just one MAC?

Or you could ask whats the business benefit, if they see it as a risk and you live in a highly regulated industry with big security risks you could implement NAC and buy something like Portnox

Its about layers, I have seen sites allow things like a pwnie express be connected to spare outlets and destroy places but is DB guy talking about external threats or employees bringing in their home laptops

I'll check it out. But if the rogue user unplugs a computer and plugs in theirs, isn't that just one MAC?

The switch port registers the MAC address from the first device plugged in to it AKA your computer and doesn't forget it. The issues with MAC Address filtering these days is MAC Spoofing is very easy and if you move around your devices it becomes difficult to manage because the port on the switch remembers the previous device and blocks the new device even if it's legitimate.

Or you could ask whats the business benefit, if they see it as a risk and you live in a highly regulated industry with big security risks you could implement NAC and buy something like Portnox

Its about layers, I have seen sites allow things like a pwnie express be connected to spare outlets and destroy places but is DB guy talking about external threats or employees bringing in their home laptops

I'd like to but he's BFF's with the CFO (who will likely be the next CEO)

If they are really worried about security on this level, I would suggest going towards an NPA server that simply segregates non-trusted devices and forces them to a different network on a different VLAN. I believe windows server 2008R2 and beyond all support this.

You have to look at how much time/effort/resources/cost/etc are going to go into your security audits. Then you have to weigh that against how secure your environment realistically SHOULD be. Only you will know that balance, as much as we would like to input... If this is a medical/financial sector question. Yeah your security is going to be really tight and boxes are going to be hardened right down to the core. But that takes a lot more time and money. Can you give us a little more about your environment so we can give you some accurate suggestions?

You have to look at how much time/effort/resources/cost/etc are going to go into your security audits. Then you have to weigh that against how secure your environment realistically SHOULD be. Only you will know that balance, as much as we would like to input... If this is a medical/financial sector question. Yeah your security is going to be really tight and boxes are going to be hardened right down to the core. But that takes a lot more time and money. Can you give us a little more about your environment so we can give you some accurate suggestions?

We're a publicly traded REIT. 63 users single location. Unused ports are not connected to the switch I'm the lone IT guy (the DB guy handles our data initiative-QuickBase) I handle the infrastructure. We don't have many visitors if we do they're here for a 1 hour meeting.DB guy comes from a school. He was Director of IT. I believe he's a trojan horse. He's an earpiece/mouthpiece for the CFO.

CFO has been here just about a year. After his first 6 months CFO brought on the DB. CFO then got interested in my world. He wanted a security audit to be completed by either PWC, KPMG, or E&Y. CFO wanted to be able to present the audit findings (and remediation steps) to the BOD.

Something shiney turned the CFO's attention to something else. Suddenly the audits (from the big 3) weren't gong to happen. Lots of time wasted on my behalf preparing and having meetings, gathering proposals from them all. In fact they don't even check in anymore.

DB guy has me creating possible security hardening projects one of which is MAC address filtering. Apparently his team implemented it at the school he was D of IT of.

0

This discussion has been inactive for over a year.

You may get a better answer to your question by starting a new discussion.